drupal 10.0.0-alpha4

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Additionally, Drupal core's JavaScript development dependencies have been updated to the latest minor and patch releases to address security issues.

Finally, the pinned versions of the composer/composer development dependency have been updated to address a security issue.

This alpha includes many changes that are also included in Drupal 9.4.0-alpha1.

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not available in 10.0.0-alpha4:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. Various core modules and themes will be moved to contributed projects.

3. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 in 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, and the Drupal 10.0.0-alpha3 release notes for additional changes from 9.4.x.

Changes to the Standard and Umami Demo profiles

• The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

Deprecated API removals

• The public Backbone and Underscore core libraries have been removed, and the JavaScript dependencies are deprecated and for internal use only. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha3:

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• asm89/stack-cors has been updated from version 1.3.0 to 2.0.5. Enabling CORS now preserves cacheability whenever possible.

  Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

• Popper.js has been updated from 2.11.2 to 2.11.5.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

• The Nightwatch testing library has been updated to version 2.1.3. Reference the Nightwatch developer guide for a list of high level changes in the 2.0.0 release.

• Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

Known issues

Search the issue queue for known issues.

All changes since10.0.0-alpha3

• Issue #3278162 by longwave, xjm, mallezie, Spokje: Update Composer dependencies to the latest minor and patch versions
• Issue #3278163 by xjm, nod_, lauriii: yarn upgrade for latest security vulnerabilities
• Issue #3278732 by Spokje, lauriii: Remove Claro block configuration from Umami
• Issue #3278696 by Spokje: Rename Oliveros block.block.book_navigation.yml and block.block.primary_admin_actions.yml confirm standard
• Issue #3278215 by Spokje, lauriii, eojthebrave, Berdir: (Not so) Random test failures SettingsTrayIntegrationTest
• Issue #3278565 by lauriii, Spokje: Remove Claro block configuration from Standard
• Issue #3266912 by nod_, Wim Leers, lauriii, xjm, mmjvb: Review version constraints for production yarn dependencies
• Issue #3269143 by longwave, catch: Remove deprecated theme key stylesheets-remove
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #3265617 by nod_, longwave: Update Nightwatch to 2.x
• Revert "Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second"
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #2958358 by Mile23, alexpott: Remove Drupal\Component\Utility's dependency on Drupal\Component\Render
• Issue #3276195 by mondrake, catch: Symfony\Component\Serializer\Normalizer\NormalizerInterface::supportsEncoding/supportsDecoding will require a new "array $context" argument in the next major version
• Issue #3272516 by Wim Leers, yogeshmpawar, bnjmnm, catch: Deprecate FilterInterface::getHTMLRestrictions()' forbidden_tags functionality
• Issue #3270709 by Shashwat Purav, Chi, apaderno: Remove reference to contextual_pre_render_placeholder() function
• Issue #3226016 by Gauravmahlawat, Libbna: Olivero: use multi-class array for adding multiple classes in form--search-block-form.html.twig template
• Issue #3195193 by andregp, paulocs, andypost, quietone, catch: Remove Shepherd shim code from Tour
• Issue #3269152 by yogeshmpawar, longwave, catch: Remove element_settings BC layer in ajax.js
• Issue #3277809 by baddysonja, mherchel: Use Drupal.displace()'s new CSS variables to place Olivero's fixed header
• Issue #3277309 by phjou, mradcliffe, benjifisher, markie: Update links to Drupal documentation pages in Umami
• Issue #2995367 by quietone, xjm, Lendude: Fix update module test fixture names for 8.2.0-rc2 sample data
• Issue #3277274 by richardrobinson, saki007ster, ApocalypticJake, bnjmnm, sjothivelu@valleywater.org, mcolebank, joshmiller, markie, mradcliffe, pilot3, W01F: Dialog css references nonexistient --color-whitesmoke css variable
• Issue #2168711 by yogeshmpawar, droplet, mariancalinro, bnjmnm, peterpoe, lauriii, Kgaut, nod_, benjifisher: Modernizr.touchevents use can lead to scenarios that break contextual links
• Issue #3206217 by mglaman, lauriii, alexpott: Allow starterkit themes to control how the theme is generated
• Issue #3268078 by Spokje, TR: DBLogResource is no longer being tested
• Issue #3219959 by marcoscano, Gábor Hojtsy, eojthebrave, Spokje, mherchel, geekygnr, catch, m4olivei, tstoeckler, lauriii, larowlan, Meenakshi_j, webchick, Berdir, ckrina, xjm, Amber Himes Matz, bnjmnm: Update standard profile so Olivero is the default theme
• Revert "Revert "Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled""
• Revert "Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled"
• Issue #3277743 by xjm, RainbowArray: Update contributor name and username in MAINTAINERS.txt
• Issue #3228691 by Wim Leers, lauriii, nod_: Restrict allowed additional attributes to prevent self XSS
• Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled
• Issue #3266216 by mherchel, rkoller: The section-titles in the preview section on views edit pages have a too low contrast
• Issue #3277405 by Wim Leers, nod_: Update @ckeditor/ckeditor5-list to v34.0.1
• Issue #3261599 by hooroomoo, Wim Leers, bnjmnm: Use CKEditor 5's native <ol start> support (and also support <ol reversed>)
• Issue #3276618 by catch, mherchel, eojthebrave, Gábor Hojtsy: Olivero sets inconsistent classes for active trail between menu and book
• Issue #3276620 by catch, Spokje: Change NoJavaScriptAnonymousTest to use stark theme
• Issue #3229078 by scott_euser, Wim Leers, hooroomoo, brentg, yogeshmpawar, catch: Unit tests for all @CKEditor5Plugin plugin classes
• Issue #3248425 by nod_, yogeshmpawar, Wim Leers, lauriii, bnjmnm, marcvangend: Ensure that all classes and functions in Drupal-specific CKEditor 5 plugins are documented
• Issue #3269085 by alexpott, larowlan, danflanagan8, Matroskeen: [random test failure] Random test fail in EntityAutocompleteTest
• Issue #3276627 by Wim Leers, hooroomoo: CKEditor5::shouldHaveVisiblePluginSettingsForm() does not correctly handle configurable CKE5 plugin that has a filter condition
• Issue #3276670 by hooroomoo, Wim Leers: Some configurations of allowed view modes cause CKE to fail to initialize
• Issue #3087701 by markdorison, shaal, Ruchi Joshi, benjifisher, markconroy, webchick, effulgentsia, johnwebdev, xjm, DyanneNova: Enable Claro as the admin theme in Umami
• Issue #3277057 by Gábor Hojtsy, tedbow, lauriii, ckrina, saschaeggi, bnjmnm: Make Claro the default admin theme in Standard profile
• Issue #3277053 by Gábor Hojtsy, ckrina, saschaeggi, lauriii, bnjmnm: Mark Claro as Stable
• Issue #3081489 by kostyashupenko, mherchel, justafish, andy-blum, yogeshmpawar, lauriii, bnjmnm, huzooka, webchick: Remove duplicate code from veritcal-tabs.js in Claro
• Issue #2717921 by gaurav.kapoor, drnikki, subhashuyadav, pratik_specbee, hmendes, jhodgdon, joachim, effulgentsia, shashikant_chauhan, Wim Leers, larowlan: undocumented #has_garbage_value property of render elements
• Issue #3231334 by Wim Leers, bnjmnm: Global attributes (<* lang> and <* dir="ltr rtl">): validation + support (fix data loss)
• Issue #3020418 by antoineh, ckrina, bnjmnm, fhaeberle, saschaeggi, andregp, ravi.shankar, priyanka.sahni, rkoller, huzooka, balsama, cindytwilliams, modulist, lauriii, antonellasevero: Update Placeholder styles so that contrast ratio passes guidelines
• Issue #3266739 by beatrizrodrigues, joachim: FunctionalTestSetupTrait::prepareEnvironment() is protected when its docs say it should be private
• Issue #3272737 by danflanagan8: Workspaces tests should not rely on Classy
• Issue #3272734 by danflanagan8: Statistics tests should not rely on Classy
• Issue #3269154 by longwave: Remove BC layers from the theme system
• Issue #3271507 by danflanagan8, nod_: Block tests should not rely on Classy
• Issue #3275464 by HEBL, danflanagan8: Remove obsolete test method FrontPageTest::testAdminFrontPage
• Issue #3230230 by bnjmnm, johnwebdev, Wim Leers, lauriii, Anna_CKSource, Reinmar: Enable table captions; override CKE5's default downcast to generate <table><caption></table> instead of <figure><table><figcaption></figure>
• Issue #3261943 by bnjmnm, lauriii, Wim Leers, andreasderijcke, ifrik: Confusing behavior after pressing "Apply changes to allowed tags" with invalid value
• Issue #3273056 by kmonahan, mherchel, Johnny Santos, rkoller, ckrina: Active and hover state of skip to main content has a too low color contrast
• Issue #3271666 by mherchel, cindytwilliams: Olivero pager's next/prev icons don't properly adapt in forced colors
• Issue #3276615 by catch, mherchel: Remove olivero_form_comment_form_alter() comment button label override
• Issue #3256768 by mherchel, nod_, andregp, andy-blum: Drupal.displace() should set CSS Variables indicating displacement values
• Issue #3275216 by akoepke, larowlan: Fix UpdateSettingsForm dependency injection
• Issue #3275114 by Wim Leers, lauriii, bnjmmn: Add subsystem maintainers for CKEditor 5
• Issue #2236983 by quietone, DenEwout: Not at all clear how/when Database::addConnectionInfo should be called
• Issue #3272537 by danflanagan8: Help and Help Topics tests should not rely on Classy
• SA-CORE-2022-009 by kristiaanvandeneynde, larowlan, acbramley, xjm, longwave, catch, jibran, benjifisher
• SA-CORE-2022-008 by mxr576, xjm, effulgentsia, mxr576, larowlan
• Issue #3271305 by m4olivei, mherchel, rafuel92, yogeshmpawar, andy-blum, cindytwilliams: Claro's radio buttons and checkboxes are unusable in high-contrast / forced colors mode
• Issue #3270941 by quietone, ravi.shankar, yogeshmpawar, murilohp, bbrala, andypost: Remove Color module from the Standard profile
• Issue #3256549 by cilefen, murilohp, longwave, catch, Spokje: Remove core/drupal.date asset library
• Issue #3269091 by gambry, yogeshmpawar, jonathanshaw, joachim, alexpott: Undocumented behaviour for Schema::findTables() when an underscore is used
• Issue #3265664 by nod_, longwave, lauriii: Update jsdom to latest major release
• Issue #3225706 by joachim, Gauravmahlawat: rewrite ComposerProjectTemplatesTest::testMinimumStabilityStrictness() so failures say which package fails
• Issue #3270395 by murilohp, nod_, mradcliffe, xjm, Wim Leers: Remove use of underscore from editor.admin.js and filter.filter_html.admin.js
• Issue #3273325 by Dom., Wim Leers, andregp, ifrik: CKE5 and contrib: better "next action" description on upgrade path messages
• Issue #3274278 by Wim Leers, jcnventura, yogeshmpawar, andregp, bnjmnm: Migrate "codetag" contrib CKEditor 4 plugin to built-in equivalent in core's CKEditor 5
• Issue #3233491 by hooroomoo, xjm, lauriii, nod_, justafish, droplet, effulgentsia: Create process for reviewing changes in 3rd party JavaScript dependencies
• Issue #3248295 by danflanagan8, xjm, dww, mglaman: Taxonomy tests should not rely on Classy
• Issue #3274066 by danflanagan8: Node tests should not rely on Classy
• Issue #3274096 by danflanagan8, cliddell: Link Tests should not rely on Classy
• Issue #3274265 by Johnny Santos, danflanagan8: Locale Tests should not rely on Classy
• Issue #3013802 by andregp, yogeshmpawar, gaurav.kapoor, nikitas, Charlie ChX Negyesi, SourabhBhalerao, alexpott, joachim: Improve error message on unrouted URLs
• Issue #3245720 by hooroomoo, nod_, Wim Leers, lauriii, yash.rode: [drupalMedia] Support choosing a view mode for
• Issue #3275180 by xjm, larowlan: Update composer/composer dev dependency version
• Back to dev.